AWS Security Hub releases the ability to disable specific compliance controls
AWS Security Hub now allows you to disable specific compliance controls, if they are not relevant for you. For example, if the control 2.3 from the CIS AWS Foundations Benchmark (“Ensure that the S3 bucket used to store CloudTrail logs is not publicly accessible”) is not relevant in a particular account or region because you have a centralized logging bucket set up in another account or region, you can disable that control either via the Security Hub console or via the API. Disabled controls are not counted against your compliance readiness score for that standard, and they have a mandatory field to explain why the control has been disabled. Disablement actions are logged to AWS CloudTrail. Security Hub’s documentation provides specific examples of controls that you may want to disable depending on your account setup.